Skip to content

Commit

Permalink
Adding security fixes see:
Browse files Browse the repository at this point in the history 
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues
  • Loading branch information
@jmontoyaa
jmontoyaa committed May 22, 2014
1 parent 1eace48 commit 70ec4e1
Show file tree
Hide file tree
Showing 6 changed files with 106 additions and 105 deletions.
2 changes: 1 addition & 1 deletion main/auth/profile.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,7 +356,7 @@ function check_user_password($password){
$user_id = api_get_user_id();
if ($user_id != strval(intval($user_id)) || empty($password)) { return false; }
$table_user = Database :: get_main_table(TABLE_MAIN_USER);
$password = api_get_encrypted_password($password);
$password = Database::escape_string(api_get_encrypted_password($password));
$sql_password = "SELECT * FROM $table_user WHERE user_id='".$user_id."' AND password='".$password."'";
$result = Database::query($sql_password);
return Database::num_rows($result) != 0;
Expand Down
14 changes: 8 additions & 6 deletions main/course_info/infocours.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,12 @@

//LOGIC FUNCTIONS
function is_settings_editable() {
return isset($GLOBALS['course_info_is_editable']) && $GLOBALS['course_info_is_editable'];
return isset($GLOBALS['course_info_is_editable']) && $GLOBALS['course_info_is_editable'];
}

/* MAIN CODE */
if (!$is_allowedToEdit) {
api_not_allowed(true);
api_not_allowed(true);
}

$show_delete_watermark_text_message = false;
Expand Down Expand Up @@ -78,8 +78,8 @@ function is_settings_editable() {
$q_result_titulars = Database::query($s_sql_course_titular);

if (Database::num_rows($q_result_titulars) == 0) {
$sql = "SELECT username, lastname, firstname FROM $tbl_user as user, $tbl_admin as admin WHERE admin.user_id=user.user_id ORDER BY ".$target_name." ASC";
$q_result_titulars = Database::query($sql);
$sql = "SELECT username, lastname, firstname FROM $tbl_user as user, $tbl_admin as admin WHERE admin.user_id=user.user_id ORDER BY ".$target_name." ASC";
$q_result_titulars = Database::query($sql);
}

$a_profs[0] = '-- '.get_lang('NoManager').' --';
Expand Down Expand Up @@ -134,7 +134,7 @@ function is_settings_editable() {


$form->add_textfield('title', get_lang('Title'), true, array('class' => 'span6'));
//$form->applyFilter('title', 'html_filter');
$form->applyFilter('title', 'html_filter');
$form->applyFilter('title', 'trim');

//$form->add_textfield('tutor_name', get_lang('Professors'), true, array ('size' => '60'));
Expand All @@ -154,9 +154,11 @@ function is_settings_editable() {
$form->addElement('select_language', 'course_language', array(get_lang('Ln'), get_lang('TipLang')));

$form->add_textfield('department_name', get_lang('Department'), false, array('class' => 'span5'));
$form->applyFilter('department_name', 'html_filter');
$form->applyFilter('department_name', 'trim');

$form->add_textfield('department_url', get_lang('DepartmentUrl'), false, array('class' => 'span5'));
$form->applyFilter('department_url', 'html_filter');
//$form->addRule('tutor_name', get_lang('ThisFieldIsRequired'), 'required');


Expand Down Expand Up @@ -424,7 +426,7 @@ function is_settings_editable() {

//Variables that will be saved in the TABLE_MAIN_COURSE table
$update_in_course_table = array('title', 'course_language','category_code','department_name', 'department_url','visibility',
'subscribe', 'unsubscribe','tutor_name','course_registration_password', 'legal', 'activate_legal');
'subscribe', 'unsubscribe','tutor_name','course_registration_password', 'legal', 'activate_legal');

foreach ($update_values as $index =>$value) {
$update_values[$index] = Database::escape_string($value);
Expand Down
87 changes: 47 additions & 40 deletions main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php
100644 → 100755
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,77 +22,87 @@
* Configuration file for the File Manager Connector for PHP.
*/

// Modifications by Ivan Tcholakov, JUN-2009.
// Modifications by Ivan Tcholakov, JUN-2009.

// Some language variables are needed.
$language_file = array('create_course');

// Loading the global initialization file, Chamilo LMS.
require_once '../../../../../../global.inc.php';

// Disabling access for anonymous users.
api_block_anonymous_users();

// Initialization of the repositories.
require_once api_get_path(LIBRARY_PATH).'fckeditor/repository.php' ;

global $Config ;
global $Config;

// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ;


// Path to user files relative to the document root.
//$Config['UserFilesPath']
$Config['UserFilesPath'] = null;

$userId = api_get_user_id();


if (api_is_in_course()) {
if (!api_is_in_group()) {
// 1. We are inside a course and not in a group.
if (api_is_allowed_to_edit()) {
$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document/';
} else {
// 1.2. Student
$current_session_id = api_get_session_id();
if($current_session_id==0)
{
$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.api_get_user_id().'/';
}
else
{
$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.api_get_user_id().'/';
}
}
} else {
// 2. Inside a course and inside a group.
global $group_properties;
$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
}
$coursePath = api_get_path(REL_COURSE_PATH).api_get_course_path();
if (!api_is_in_group()) {
// 1. We are inside a course and not in a group.
if (api_is_allowed_to_edit()) {
$Config['UserFilesPath'] = $coursePath.'/document/';
} else {
// 1.2. Student
$current_session_id = api_get_session_id();
if ($current_session_id == 0) {
$Config['UserFilesPath'] = $coursePath.'/document/shared_folder/sf_user_'.$userId.'/';
} else {
$Config['UserFilesPath'] = $coursePath.'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.$userId.'/';
}
}
} else {
$groupId = api_get_group_id();
$groupInfo = GroupManager::get_group_properties($groupId);
if (!empty($groupInfo)) {
// 2. Inside a course and inside a group.
$Config['UserFilesPath'] = $coursePath.'/document'.$groupInfo['directory'].'/';
}
}
} else {
if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin') {
// 3. Platform administration activities.
$Config['UserFilesPath'] = api_get_path(REL_PATH).'home/default_platform_document/';
} else {
// 4. The user is outside courses.
$my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(),'rel');
$Config['UserFilesPath'] = $my_path['dir'].'my_files/';
}
if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin') {
// 3. Platform administration activities.
$Config['UserFilesPath'] = api_get_path(REL_PATH).'home/default_platform_document/';
} else {
// 4. The user is outside courses.
$my_path = UserManager::get_user_picture_path_by_id($userId, 'rel');
$Config['UserFilesPath'] = $my_path['dir'].'my_files/';
}
}

if (empty($Config['UserFilesPath'])) {
api_not_allowed(true);
}

// Fill the following value it you prefer to specify the absolute path for the
// user files directory. Useful if you are using a virtual directory, symbolic
// link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
// Attention: The above 'UserFilesPath' must point to the same directory.
$Config['UserFilesAbsolutePath'] = rtrim(api_get_path(SYS_SERVER_ROOT_PATH), '/') . $Config['UserFilesPath'] ;
$Config['UserFilesAbsolutePath'] = rtrim(api_get_path(SYS_SERVER_ROOT_PATH), '/').$Config['UserFilesPath'];

// Due to security issues with Apache modules, it is recommended to leave the
// following setting enabled.
$Config['ForceSingleExtension'] = true ;
$Config['ForceSingleExtension'] = true;

// Perform additional checks for image files.
// If set to true, validate image size (using getimagesize).
$Config['SecureImageUploads'] = true;

// What the user can do with this connector.
$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder');

// Allowed Resource Types.
$Config['ConfigAllowedTypes'] = array('File', 'Audio', 'Images', 'Flash', 'Media', 'MP3', 'Video', 'Video/flv') ;
Expand Down Expand Up @@ -160,8 +170,7 @@
$Config['QuickUploadAbsolutePath']['Image'] = $Config['UserFilesAbsolutePath'] ;
into:
$Config['QuickUploadPath']['Image'] = $Config['FileTypesPath']['Image'] ;
$Config['QuickUploadAbsolutePath']['Image'] = $Config['FileTypesAbsolutePath']['Image'] ;
$Config['QuickUploadAbsolutePath']['Image'] = $Config['FileTypesAbsolutePath']['Image'];
*/

// Files
Expand Down Expand Up @@ -220,5 +229,3 @@
$Config['FileTypesAbsolutePath']['Video/flv'] = $Config['UserFilesAbsolutePath'] . 'video/flv/' ;
$Config['QuickUploadPath']['Video/flv'] = $Config['UserFilesPath'] . 'video/flv/' ;
$Config['QuickUploadAbsolutePath']['Video/flv'] = $Config['UserFilesAbsolutePath'] . 'video/flv/' ;

?>
97 changes: 43 additions & 54 deletions main/inc/lib/fckeditor/editor/plugins/ImageManager/config.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,62 +27,54 @@
in this directory and its subdirectories.
*/
$language_file = array('document');
include '../../../../../../inc/global.inc.php';

require_once '../../../../../../inc/global.inc.php';
api_block_anonymous_users();

// Disabling access for anonymous users.
api_block_anonymous_users();

// Initialization of the repositories.
require_once api_get_path(LIBRARY_PATH).'fckeditor/repository.php';

$userId = api_get_user_id();

// Choosing the repository to be used.
if (api_is_in_course())
{
if (!api_is_in_group())
{
// 1. We are inside a course and not in a group.
if (api_is_allowed_to_edit())
{
// 1.1. Teacher
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/';
}
else
{
// 1.2. Student
$current_session_id = api_get_session_id();
if($current_session_id==0)
{
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.api_get_user_id().'/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.api_get_user_id().'/';
}
else
{
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.api_get_user_id().'/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.api_get_user_id().'/';
}
}
}
else
{
// 2. Inside a course and inside a group.
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
}
}
else
{
if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin')
{
// 3. Platform administration activities.
$IMConfig['base_dir'] = $_configuration['root_sys'].'home/default_platform_document/';
$IMConfig['base_url'] = $_configuration['root_web'].'home/default_platform_document/';
}
else
{
// 4. The user is outside courses.
$my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(),'system');
$IMConfig['base_dir'] = $my_path['dir'].'my_files/';
$my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(),'web');
$IMConfig['base_url'] = $my_path['dir'].'my_files/';
}
if (api_is_in_course()) {
if (!api_is_in_group()) {
// 1. We are inside a course and not in a group.
if (api_is_allowed_to_edit()) {
// 1.1. Teacher
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/';
} else {
// 1.2. Student
$sessionId = api_get_session_id();
if ($sessionId == 0) {
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.$userId.'/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.$userId.'/';
} else {
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$sessionId.'/sf_user_'.$userId.'/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$sessionId.'/sf_user_'.$userId.'/';
}
}
} else {
// 2. Inside a course and inside a group.
$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
}
} else {
if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin') {
// 3. Platform administration activities.
$IMConfig['base_dir'] = $_configuration['root_sys'].'home/default_platform_document/';
$IMConfig['base_url'] = $_configuration['root_web'].'home/default_platform_document/';
} else {
// 4. The user is outside courses.
$my_path = UserManager::get_user_picture_path_by_id($userId, 'system');
$IMConfig['base_dir'] = $my_path['dir'].'my_files/';
$my_path = UserManager::get_user_picture_path_by_id($userId, 'web');
$IMConfig['base_url'] = $my_path['dir'].'my_files/';
}
}

$IMConfig['server_name'] = $_SERVER['SERVER_NAME'];
Expand All @@ -91,11 +83,8 @@
demo - when true, no saving is allowed
*/
$IMConfig['demo'] = false;

/*
Possible values: true, false
TRUE - If PHP on the web server is in safe mode, set this to true.
SAFE MODE restrictions: directory creation will not be possible,
only the GD library can be used, other libraries require
Expand Down
4 changes: 4 additions & 0 deletions main/inc/lib/fckeditor/editor/plugins/MP3/fck_mp3.php
100644 → 100755
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
// name of the language file that needs to be included
$language_file = array('resourcelinker','document');
include('../../../../../../inc/global.inc.php');

// Disabling access for anonymous users.
api_block_anonymous_users();

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
Expand Down
7 changes: 3 additions & 4 deletions main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/inc/config.php
100644 → 100755
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,9 @@
// Loading the global initialization file.
require_once '../../../../../../inc/global.inc.php';

// Loading document repositories settings.
api_block_anonymous_users();

// Loading document repositories settings.
require_once api_get_path(LIBRARY_PATH).'fckeditor/repository.php';

//FILESYSTEM CONFIG
Expand Down Expand Up @@ -48,7 +49,6 @@ function secureFileName($input) {
define('DIR_AJAX_EDIT_AREA', DIR_AJAX_JS.'edit_area'.DIRECTORY_SEPARATOR);
define('DIR_LANG', DIR_AJAX_ROOT.'langs'.DIRECTORY_SEPARATOR);


//Class Declarations
define('CLASS_FILE', DIR_AJAX_INC.'class.file.php');
define("CLASS_UPLOAD", DIR_AJAX_INC.'class.upload.php');
Expand All @@ -69,7 +69,6 @@ function secureFileName($input) {

require_once dirname(__FILE__).DIRECTORY_SEPARATOR.$configBaseFileName;


// Loading the selected language file.
require_once DIR_AJAX_LANGS.CONFIG_LANG_DEFAULT.".php";

Expand Down Expand Up @@ -116,4 +115,4 @@ function secureFileName($input) {
define('CONFIG_URL_LIST_LISTING', 'ajax_get_file_listing.php');
define('CONFIG_URL_IMG_THUMBNAIL', $web_path.'ajax_image_thumbnail.php');
define('CONFIG_URL_FILEnIMAGE_MANAGER', 'ajaxfilemanager.php');
define('CONFIG_URL_FILE_PASTE', 'ajax_file_paste.php');
define('CONFIG_URL_FILE_PASTE', 'ajax_file_paste.php');

0 comments on commit 70ec4e1

Please sign in to comment.